Now that "virtualenv" is installed, let's continue with the install
According to Mike, we should be seeing one "lsass.exe" which has a parent of "Winlogon.exe". However, as shown above and as stated by Mike, we have three "lsass.exe" processes. One has a parent of "Winlogon.exe" and the other two have a parent of "services.exe". This means now that we should take a closer look at these 3 processes.
From the above image, we see that the 3 "lsass.exe" processes
basically have the same SIDS.
Image of PID 1928 has been truncated. However, the number of DLLs, is still less than that of PID 680.
As we can see there seems to be an executable "MZ Signature" starting at offset 0x80000 for both of these PIDs.
As we can see above, the strings "ZwMapViewOfSection, ZwCreateSection, ZwOpenFile, ZwClose, ZwQueryAttributesFile, ZwQuerySection" are not in the legit lsass (PID 680) but are in the other two. This can be seen from the image above.
So we see that "ZWClose" is at that memory location. Let's switch context into PID 668 and disassemble the memory location.
... and yet another disassembly at "0x009400F2"
Ok then, if the objective was to learn to use Rekall for memory forensics, I think we have achieved that to some extent. Once again, thanks to Mike for his post on analyzing stuxnet using volatility.